Apply Non-Critical Patches to Non-Internet Systems Promptly
Ensure non-critical security patches are applied within a month if no active threats are identified.
Plain language
This control is about making sure that all non-critical updates for software on internal systems are applied within a month. It's crucial because if these updates aren't applied, even minor vulnerabilities can be exploited by cybercriminals, leading to data breaches or system downtime.
Framework
ASD Information Security Manual (ISM)
Control effect
Proactive
Classifications
NC, OS, P, S, TS
ISM last updated
Nov 2023
Control Stack last updated
19 Mar 2026
E8 maturity levels
ML3
Guideline
Guidelines for system managementSection
System patchingOfficial control statement
Patches, updates or other vendor mitigations for vulnerabilities in operating systems of workstations, non-internet-facing servers and non-internet-facing network devices are applied within one month of release when vulnerabilities are assessed as non-critical by vendors and no working exploits exist.
Why it matters
Delaying vendor-rated non-critical patches on non-internet systems can allow internal attackers to exploit known flaws, escalating access and impacting integrity.
Operational notes
Track vendor releases and apply non-critical OS patches to non-internet-facing workstations, servers and network devices within 30 days where no working exploits exist.
Implementation tips
- The IT team should maintain a clear schedule for applying non-critical patches. To do this, they can use a spreadsheet or a software tool to track when each patch is released and ensure it gets applied within 30 days.
- System administrators should regularly check vendor websites for patch updates. They can subscribe to email alerts or use automated tools to receive notifications when new security patches are released.
- Managers should ensure that there is enough IT support available to review and apply patches. This can be done by assessing team workloads and adjusting resources, so patch applications don't get delayed.
- System owners should communicate with vendors if they face issues applying a patch. They can do this by calling vendor support hotlines or using online help forums provided by the vendors.
- Office managers should have a monthly meeting with the IT team to go over the patching status. During this meeting, they should check any pending patches, discuss any problems encountered, and plan for future patching needs.
Audit / evidence tips
-
Aska patch management schedule: Request to see documentation showing when patches are planned to be applied
Goodincludes a consistently updated schedule demonstrating patch timelines
-
Askpatch deployment logs: Request logs that show when patches were actually applied to systems
-
Askvendor communication records: Request any communications with vendors regarding patch issues or updates
Goodsign is timely responses and resolved issues related to patching successfully documented
-
Askrecords of IT meetings: Request minutes or notes from meetings where patching was discussed
Goodexample would be structured meeting records noting patch priorities and actions
-
Asktraining material or records: Request documentation or records showing the training system administrators receive regarding update processes
Cross-framework mappings
How ISM-1902 relates to controls across ISO/IEC 27001, Essential Eight, and ASD ISM.
E8
| Control | Notes | Details |
|---|---|---|
| sync_alt Partially overlaps (3) expand_less | ||
| E8-PO-ML1.5 | ISM-1902 requires organisations to apply non-critical operating system patches to non-internet-facing systems within one month when no wo... | |
| E8-PO-ML1.6 | E8-PO-ML1.6 requires non-critical OS patches for internet-facing servers and internet-facing network devices to be applied within two wee... | |
| E8-PO-ML3.3 | ISM-1902 requires organisations to apply non-critical operating system patches to non-internet-facing systems within one month when no wo... | |
| link Related (1) expand_less | ||
| E8-PO-ML3.4 | E8-PO-ML3.4 requires patches, updates or vendor mitigations for non-critical OS vulnerabilities (with no working exploits) to be applied ... | |
These mappings show relationships between controls across frameworks. They do not imply full equivalence or certification.